A BUSINESS
AUDIT IMPOSES A COST TO THE BUSINESS; HOWEVER NON-COMPLIANCE CAN SERIOUSLY DAMAGE THE BUSINESS.

· IT supports business processes

All organisations depend on a wide variety
of IT systems to enable and support their business processes. This includes hardware and software, and ranges from email and
instant messenger for communication, to document management systems for collaboration, to Enterprise Resource Planning systems
for performing integrated business processes.

· Involving business users in the
design of authorisations and permissions

Authorisations
and permissions are the gateway to data and functionality in IT systems. Treating security as something that is only carried
out by the IT techies is counter-productive. A large number of non-conformance issues is due to misunderstanding of segregation
of duties in financial systems, and can lead to horrendous problems.

· Ensuring appropriate control of
user activity

Business
ownership of security is vital to ensure that there is adequate control placed over who can do what in business critical systems.
Can HR prove that abuse of internet is down to an individual if you have not provided a security policy or adequate access
control?

· Clear communication and a culture of security awareness

IT systems are the lynchpin that supports
business critical functions and treating IT security as something that is 'done' by the IT department therefore misses
the point. Good communication is crucial.

· Maintaining security standards

Ensuring that a culture of security
awareness pervades throughout the organisation will also enable the business to keep its finger on the IT security pulse in
the long term. Regular review of system access and IT security requirements must therefore be built into the ongoing
business processes.

· IT security is good business practice

There is no excuse for security not
to be well-understood, but both the business and technical departments must take responsibility for collaborating to address
this issue. As IT budgets remain under threat, there are some technology projects that cannot be ignored, and making
IT security a priority on a day-to-day basis should simply be regarded as good business practice.

No
organisation would invest unless it could demonstrate a strong case for return on investment. Remember that it has been calculated
that 65%
of the cost of IT is down to poor quality procedures and security. In truth, it is difficult to prove that any of these outputs is exclusively due to IT security investment.
Loss of a key asset may not put a company out of business forever, but could be enough to precipitate the loss
of competitive advantage, reputation and revenue
stream for some time to come. Is it really worth the risk?